Partners

The 3 most important challenges indicated by CISOs

By Wim De Smet, CTO @ SecureLink

During the last 6 months, General Manager Jo Vander Schueren and I went on a roadshow to talk to our CxO-level customers. Our goal was to discover and understand their challenges, and to share our predictions on the future, and global challenges as well. Next to that, we wanted to see whether there were certain problems we could help with and how we can assist them as their Trusted Advisor. In this blog post, I want to share my most important findings with you.

There are 2 kinds of CISOs

I noticed that there are two distinct kinds of CISOs. There is the Technology-driven CISO who looks at point solutions to tackle some of his problems and there is the Framework-driven CISO who uses standards such as the CIS TOP 20 Framework to reach his goals.

The Technology-Driven CISOs

The Technology-Driven CISOs are the easy ones. That’s because we are used to talking about technology. It is, and has been in our DNA for years. Technology used to be the main driver in every aspect and department. This changed over the last 2 – 3 years. We are shifting from this technology-driven focus to a more service-driven one. Just think of our Insight / NOC / CDC / Managed Detection & Response services and others.

The Framework-Driven CISOs

Then, there are the Framework-Driven CISOs. Not everyone feels at ease when talking to them. The main reason is that, apart from the effort we put in creating service/solution-based presentations and our use of the Security Maturity Assessment as a starting point, the next step will still be a talk about products / technology. This is where this CISO will often lose his attention. The mapping of this high-level framework idea is often difficult. To tackle this difficulty, we will map the SecureLink services, solutions and technology to the CIS TOP 20 Framework.

The 3 main challenges of the CISOs

User Awareness

Technology is getting better and better, luckily. This protects businesses against many security threats. But, automatization and big data are not only useful to the good guys. Hackers can use these techniques too to get important information. Information they will hand over to specific specialists in that industry to create personal and manual attacks.

According to the Verizon Data Breach Investigation Report (2017), Phishing and pretexting represented 98% of all incidents and breaches that featured social engineering.

Email remains one of the biggest attack vectors. The end users are often the last one to decide whether to consider something safe or tricky. That is why CISOs are increasingly investing in End User Security Awareness Trainings.

At SecureLink, we offer an Interactive End User Security Training Program through modules and games which can include simulated attacks, knowledge assessments, mystery visits, USB phishing, awareness materials, voice phishing, workshops and more.

Oh yes: the cloud

Many companies are moving their applications to the cloud. Drivers are flexibility, automation, scalability, cost control, manageability and more. But, despite these drivers, many organizations remain hesitant because of the technical complexities and a lack of in-house knowledge. There is not much experience yet when it comes to this topic. The biggest companies who are usually the most innovative ones, are the first to notice these difficulties of course.

They like the speed, the flexibility and automatization capabilities of the cloud, but their biggest concern often remains the security aspect. A cloud environment is not secure by default. There is a shared responsibility. What are the responsibilities of the cloud providers and what are yours?

The IoT and ICS challenges of healthcare

IoT, standalone Industrial Control Systems (ICS) and medical devices all have one thing in common: they are difficult to secure since you don’t have direct access to them.

IoT devices rely on a central point of control – in the cloud. And again, I need to stress how important it is to secure that cloud. All communication between IoT devices and their management (tools/apps that give reports, instructions, etc.) should be secured and locked down if needed.

Companies need avoid data from being manipulated or adjusted for example. That is why the individual IoT devices should definitely not be forgotten. Medical devices are not managed by the healthcare organizations themselves, but by third parties. So, make sure you shield these devices well. This can be done through segmentation. You also need to make sure you monitor them well. Last, but not least, it is very important to set up a VDI environment so you don’t have a direct connection between the device and the 3rd party network.

Do you have a question? Please do not be hesitant to ask for more information. You can call us at +32 3 641 95 95 or send us an email via [email protected]